Re: ssh connection survives reboot of stateful iptables router

To: debian-firewall@lists.debian.org
Subject: Re: ssh connection survives reboot of stateful iptables router
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Tue, 4 Jul 2006 12:12:41 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.58.0607041207420.4865@blackhole.kfki.hu>
In-reply-to: <[🔎] 20060704095517.GA28709@piper.madduck.net>
References: <[🔎] 20060703215238.GA383@piper.madduck.net> <3F7A2A7C77F7B75AE1DA1484@[192.168.1.72]> <[🔎] 20060704075626.GA18781@piper.madduck.net> <[🔎] Pine.LNX.4.58.0607041127470.4865@blackhole.kfki.hu> <[🔎] 20060704093810.GA27756@piper.madduck.net> <[🔎] Pine.LNX.4.58.0607041139530.4865@blackhole.kfki.hu> <[🔎] 20060704095517.GA28709@piper.madduck.net>

On Tue, 4 Jul 2006, martin f krafft wrote:

> also sprach Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> [2006.07.04.1143 +0200]:
> > That is false, because from connection tracking point of view a plain ACK
> > packet which does not belong to any existing connections has got a state,
> > which is NEW. That is why connection pickup can work.
>
> Yeah, and so it's not INVALID. I did not know about connection
> tracking, but other than that, the following two are equivalent, no?
>
>   accept ESTABLISHED,RELATED
>   drop INVALID
>   accept --dport 22
>   drop
>
> and
>
>   accept ESTABLISHED,RELATED
>   accept --dport 22 --syn
>   drop

No. In the first case you drop INVALID packets (actually, broken ones:
invalid flag-combinations, bad checksum, etc.) and accept any packet
targetting port 22. In the second case you accept SYN packets sent to port
22.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Reply to:

References:
- ssh connection survives reboot of stateful iptables router
  - From: martin f krafft <madduck@debian.org>
- Re: ssh connection survives reboot of stateful iptables router
  - From: Ralf Döblitz <ralf@doeblitz.net>
- Re: ssh connection survives reboot of stateful iptables router
  - From: martin f krafft <madduck@debian.org>
- Re: ssh connection survives reboot of stateful iptables router
  - From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- Re: ssh connection survives reboot of stateful iptables router
  - From: martin f krafft <madduck@debian.org>
- Re: ssh connection survives reboot of stateful iptables router
  - From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- Re: ssh connection survives reboot of stateful iptables router
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: ssh connection survives reboot of stateful iptables router
Next by Date: Re: ssh connection survives reboot of stateful iptables router
Previous by thread: Re: ssh connection survives reboot of stateful iptables router
Next by thread: Re: ssh connection survives reboot of stateful iptables router
Index(es):
- Date
- Thread